Anthropic Accidentally Leaked Claude Code's Source: What Happened, What Was Inside, and What It Means

On the morning of March 31, 2026, security researcher Chaofan Shou downloaded the latest version of Anthropic's Claude Code CLI tool from the npm registry and noticed something odd: the package was 60 MB. The normal build was a fraction of that. Inside was a single file — cli.js.map — containing the complete, unobfuscated TypeScript source code for one of the most closely guarded AI development tools in the industry. All 512,000 lines of it.

By the time Anthropic issued DMCA takedown notices that afternoon, the code had already been mirrored to GitHub, archived to Cloudflare, and forked tens of thousands of times. What followed became one of the most scrutinized accidental disclosures in AI history.

Here's exactly what happened, what was inside, and what it means — with citations so you can verify every claim yourself.

What Happened: Three Failures at Once

The leak wasn't one mistake. It was three independent failures that all aligned on the same release.

The Bun bundler bug. Anthropic migrated Claude Code's build pipeline to Bun, a modern JavaScript runtime and bundler. Bun has a documented open bug (issue #28001): even when you explicitly set development: false in the build config, Bun still generates source map files. Source maps are debugging artifacts that map minified, bundled JavaScript back to the original source code — useful in development, catastrophic if shipped in a public package.

The missing .npmignore. npm packages have two ways to exclude files from publication: a files field in package.json specifying what to include, or a .npmignore file specifying what to exclude. Claude Code had neither a *.map exclusion rule nor a files allowlist that would have blocked source maps from the published tarball. The 60 MB file went out with the package.

No pre-publish CI check. A standard safeguard in production package pipelines is a dry-run step — npm pack --dry-run — that lists exactly what would be published before it goes live. That check wasn't in place. Nobody saw the package size balloon from a few MB to 60 MB before it hit the registry.

Version 2.1.88 of @anthropic-ai/claude-code published with the full source inside. Anyone who ran npm install -g @anthropic-ai/claude-code that morning received it automatically.

Anthropic's statement to BleepingComputer was direct: "Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed." The company classified it as "a release packaging issue caused by human error, not a security breach."

What Was Inside: 512,000 Lines of Unscheduled Transparency

The leaked codebase contained approximately 1,906 files and 512,000 lines of TypeScript. Researchers spent the hours after discovery reading through it carefully. Several things stood out.

KAIROS — an autonomous background agent, unreleased. Referenced over 150 times in the source, KAIROS is described as a persistent daemon that runs between sessions, receives periodic "tick" prompts, and can independently decide to take actions — monitoring GitHub webhooks, sending notifications, spinning up tasks — without being explicitly invoked. The name is taken from the Greek concept of "the right moment," the idea that an agent acts when conditions are correct rather than when commanded. This feature has not been publicly announced.

ULTRAPLAN — remote planning on Opus. ULTRAPLAN offloads complex planning tasks to a remote cloud runtime running Opus 4.6, with a planning window of up to 30 minutes. The local terminal polls the cloud every 3 seconds, and a browser-based UI lets users monitor the plan in progress and approve or reject it before execution begins. Again, not publicly announced at the time of the leak.

Model codenames. The source revealed internal project names: Tengu is Claude Code's own codename, Fennec maps to Opus 4.6, Capybara appears to be a new model family (possibly connected to the "Mythos" model referenced in other leaks), and Numbat is an unreleased model. "Penguin Mode" is the internal name for what users know as Fast Mode — the API endpoint is literally /api/claude_code_penguin_mode, and there's a kill-switch flag called tengu_penguins_off.

Undercover Mode. When Anthropic employees use Claude Code on repositories outside Anthropic's internal infrastructure, a mode activates that strips Co-Authored-By attribution from commits, prevents Claude from mentioning unreleased models or internal details in its responses, and suppresses references to internal codenames. It's essentially a mode that makes Anthropic's own AI coding assistant behave like a regular user's tool when the company is doing external work.

Prompt injection defenses — now visible. This is the part that drew the most concern from security researchers. Claude Code contains logic specifically designed to detect and resist prompt injection attacks — attempts by malicious content in the environment (a webpage, a file, a code comment) to hijack the agent's behavior. As noted by Waxell AI: "If you know where and how prompt injection defenses are applied, you can more easily find a bypass. If you know the system prompts, an attacker doesn't have to guess the preamble anymore to craft content that uses the right language to subvert the model."

That's the core security concern: not that credentials leaked (they didn't), but that the defensive architecture is now known.

What Anthropic Did

DMCA takedown notices went out the same day. By 2pm ET on March 31, Anthropic was actively pursuing removal of mirrors from GitHub and other platforms. The Hacker News confirmed the company acknowledged the incident and described it as a packaging error.

A corrected version of the package was released. The fix involved excluding *.map files from the npm publication, which is a one-line addition to .npmignore or the files field in package.json. The Bun bug itself remains open as of this writing — the underlying issue hasn't been patched upstream.

What It Means for People Using Claude Code

Anthropic was explicit: no customer data, no API keys, no credentials were exposed. If you use Claude Code, your code, your keys, and your account are unaffected by this incident.

What did change is the attack surface for prompt injection against Claude Code specifically. Security-conscious teams using Claude Code in environments where it processes untrusted input — web scraping, reading external files, running in CI pipelines — should be aware that the defensive logic is now documented. It doesn't mean the defenses don't work. It means they're no longer through obscurity.

For most individual developers and small businesses using Claude Code as a personal coding assistant, nothing practical changes.

The Broader Lesson: Publishing Software Has Hidden Steps

The part of this story that deserves the most attention isn't the leak itself — it's how easily it happened.

Three things would have independently prevented this incident:

• A *.map entry in .npmignore — one line of text
• A files field in package.json — an explicit list of what to ship
• A npm pack --dry-run step in the CI pipeline — a two-second sanity check

None of the three were in place. This isn't a failure unique to Anthropic. Teams that ship npm packages, PyPI packages, or any software artifact that goes through a build process are exposed to the same category of problem. Build artifacts, debug symbols, environment files, internal documentation — all of it can accidentally travel along with a release if nobody's checking.

The specific Bun bug made things worse in this case: the normal expectation that setting development: false suppresses source maps was violated. When you depend on a tool to not produce an artifact, and that tool has a known bug that produces it anyway, the only protection left is the exclusion rule that was also missing.

The lesson isn't that Anthropic was careless. It's that "release" is a surprisingly complex process with more failure points than most teams account for, and that the failure points at the edge — what actually goes into the tarball — are often the least scrutinized.

The Bottom Line

Anthropic accidentally shipped 512,000 lines of Claude Code's TypeScript source in an npm package on March 31, 2026. The root cause was a Bun bundler bug combined with a missing .npmignore rule and no pre-publish content check. No user data or credentials were exposed. The code was pulled quickly, but not before it spread.

What was inside was genuinely interesting — unreleased features, internal model codenames, and architectural details that researchers have spent weeks parsing. The security implication that matters most is that Claude Code's prompt injection defenses are now publicly readable.

For users: no action needed. For developers who ship packages: audit your .npmignore and add a dry-run check to your CI pipeline. For everyone watching AI tools mature: this is a useful reminder that even the companies building the most sophisticated AI systems are still running into the oldest kinds of engineering problems.

Sources:

• BleepingComputer — Claude Code source code accidentally leaked in npm package
• The Hacker News — Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms
• The Register — Anthropic accidentally exposes Claude Code source code
• InfoQ — Anthropic Accidentally Exposes Claude Code Source via npm Source Map File
• NodeSource — Anthropic Accidentally Leaked Claude Code's Entire Source — Here's What Was Inside
• Waxell AI — Anthropic Just Leaked Claude Code's Source. Here's What That Means for Every AI Agent You Run.
• Alex Kim's blog — The Claude Code Source Leak: fake tools, frustration regexes, undercover mode, and more
• Layer5 — The Claude Code Source Leak: 512,000 Lines, a Missing .npmignore, and the Fastest-Growing Repo in GitHub History

If you're building software with AI tools and want to make sure your own release pipelines don't have gaps like these, book a free call with Sciensify and we'll walk through your setup with you.